Use the java.security file in Java 8
Starting with Java 8, WebSphere uses the IBMJDK java.security file.
On other versions of the JDK, WebSphere provides a customized java.security file. The WebSphere runtime security code has been modified to set up the java security information that used to be part of the customized java.security file.
Provider List
WebSphere comes with a custom provider list that includes the PKCS11 and CMS providers that the IBMJDK provider list did not previously include by default. These providers are now programmatically added in Java 8. The code does check to see if these providers exist already in the provider list before adding them.
Default SSLSocketFactory and SSLServerSocketFactory
WebSphere SSL code depends on custom socket factories for features like programmatic SSL and Dynamic outbound SSL. The custom socket factories are set using the security properties defined in the java.security file. The WebSphere SSL initialization code programmatically sets these properties if they are not set so that the feature that depends on them continues to work on the server.
Thin clients and admin clients typically use the SSL initialization code that sets the WebSphere socket factories programmatically, but there have been cases where users write client programs that depend on the WebSphere socket factories to initialize WebSphere client SSL. If a client needs the WebSphere socket factories set in order for WebSphere client SSL initialization to take place, they can edit the JDK's java.security file to include the socket factory properties.
ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactoryA user can also create a new file to include the two properties that are previously listed and then on the client process use the java.security.properties system property to point to the file containing the socket factory properties. The client program can be called like this assuming the properties are in a file called socket.properties.
java -Djava.security.properties=socket.properties clientProgramWebSphere also provides a mechanism to augment the java.security file. If we need to make system-wide changes to the java.security file, edit the WAS_HOME/properties/java.security file. Any updates that are put in this file overrides the java/jre/security/java.security file. We should only add differences to this file, and not replace the entire contents, because doing this will allow any security vulnerabilities that are fixed in a future Java service release to be picked up. The java.security file in the java/jre/lib/security directory is overwritten when java updates are applied, but the file in WAS_HOME/properties is non-serviceable.